Securing Information
Strengthening Business

GDPR: What does it really mean for your organisation?

GDPR: What does it really mean for your organisation?


25th May 2018 sees the indoctrination of the General Data Protection Regulation (GDPR) courtesy of the European Union. While eagerly anticipated by some organisations, for many the daunting reality of the changes GDPR brings is rapidly setting in.

There might have been a brief period of post Brexit vote uncertainty about GDPR – but it will go ahead as planned. In the world of data management, it’s time to smell the coffee.

In this blog article, we summarise the main aspects of GDPR and what it will mean for the way organisations must manage their data. In essence, GDPR requires that organisations will be far more accountable for how they utilise personal data and data subjects will have more control. And, just in case you were wondering, compliance is not optional.

At a glance, GDPR can be broken down into four key areas – we’ll look at each and what they could mean for your organisation:

1) Transparency

Whilst the (current) Data Protection Act 1998 states the requirement for fair and lawful processing, GDPR goes further, focusing extensively on ensuring data subjects know, understand and agree to exactly what their data are being used for.

What does this mean for you? GDPR requires information on how data are used be made available in a way that is ‘concise, easily accessible and easy to understand, and in clear and plain language’ (Article 11). Hiding uses of data in pages of complex unreadable terms and conditions will not be acceptable. Reasons for collecting the types of data must be made clear.

2) Choice

Choice, consent and freedom to make decisions about what happens to ones own data is a key theme running through GDPR. Whilst data controllers may need to gain data subject consent for some of their processing under the current regime, the GDPR takes it to a whole new level. Key to this is the word ‘informed’.

What does this mean for you? You’ll need to be aware of data subjects’ rights (see below). Clarity will be essential. Data subjects must be able to understand who the data controller (the organisation holding the data) is, what they are going to do with the data they are collecting and how they, as an individual, can change their mind about the processing. Requiring mandatory fields of personal data will be much harder to justify.

3) Security

Whilst it may seem obvious that data are afforded appropriate protection from unauthorised access, GDPR talks extensively about protecting networks and data stating ‘Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing’ (Recital 39).

What does this mean for you? It is the responsibility of the data controller to determine what is adequate for the data they hold. GDPR does not set out particular standards to be met. If assurances of security through regular assessment, testing and improvement where appropriate cannot be evidenced, data controllers can reasonably expect harsher action from regulators in the event of a data breach.

4) Punishment

Introducing administrative fines of up to 20 million euros, or in the case of an undertaking, up to 4% of global turnover for the previous financial year (whichever is higher),the GDPR offers significant scope for causing financial pain to organisations who fail to comply. To put this into perspective, TalkTalk were fined £400,000 under the DPA, they could have been fined as much as £70m under GDPR.

What does this mean for you? Non-compliance could be very expensive and the potential for a meaningful fine means that on financial grounds alone – GDPR must be taken very seriously and there is much work to be done prior to May 2018. Regulators may introduce their own management of the application of fines but in economically challenging times we can expect examples to be made of those failing to comply. Don’t let it be you.

Data subject rights

These are of significant importance in the Regulation. They are: to be informed, to rectification, to access, to erasure, to restrict processing, to data portability, the right to object and, finally, rights in relation to automated decision making and profiling.

Abolishing charges for access to personal data, some data controllers may feel the impact of this change. Emphasis is placed in the Regulation on data subjects being able to access their own data in electronic form (where possible) through remote access to secure systems.

Encompassing all data processing within the EEA, rather than just that carried out by controllers located within its borders, the Regulation should offer assurance for individuals that businesses cannot relocate outside of the area in order to escape its clutches, should they wish to continue processing data in the area.

Preparing for the GDPR? Ascentor can steer you through the GDPR maze

Ascentor’s GDPR Gap Analysis Service

This is your GDPR action plan, produced in one week. It’s a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.

Get our GDPR checklist download 10 steps to GDPR download

If you are preparing for GDPR compliance, you’ll find our checklist of help. Please click the image to access your copy as a PDF download. As well as our own resources we’ve also provided some helpful advice from the Information Commissioner’s Office (ICO).No email is required.

In summary

Don’t leave it to the last minute or chance. It’s a huge data management undertaking but, it is possible to manage and achieve compliance.

Our top three actions are:

  • Conduct a gap analysis to identify the steps you need to take to comply.
  • Review existing arrangements with suppliers to ensure they offer adequate protection for your data and that the legal bases on which they may carry out processing for you are valid under the new regulation.
  • Review the data storage you own to ensure personal data cannot be accessed unlawfully.

Above all, don’t panic. Plan and prepare early but ensure you have the resources in place to enable your organisation to grow and adapt to ensure continued compliance.

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .

If you’d like to discuss the topic of GDPR and data protectionin more depth or any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.


Office: 01452 881712


This is a guest blog for Ascentor, written by Arianne KitchenerLLB.

Other posts you might like

Not if but when – 2017 UK cyber security in perspective

An ounce of prevention could be worth a ton of cyber attack cure

Cutting through the confusion: GDPR and Brexit

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths home workers fall for

From King Arthur to the moon landings that (allegedly) didn’t happen, it’s surprising what people want to believe without any real basis in fact.